Gluu 4.4.1 Release Notes
Updates for stability, the introduction of an allowlist and blocklist for redirect_uris (which enhances security if this optional parameter is used) and more secure email handling for MFA (and other email services)
Request_uri blocklist and allowlist implemented to enhance security
The request_uri Authorization Request parameter enables OpenID Connect requests to be passed by reference, rather than by value (see the spec). However, when implemented as written in the spec, the request_uri could be used to launch an SSRF (Server-Side Request Forgery) attack against the IDP. To mitigate this risk, we’ve implemented both a request_uri blocklist and a request_uri allowlist that are configurable in the Gluu Server OpenID Provider JSON configuration.
- Version 4.4.1
- Version 4.4
- Version 4.3
- Amazon Aurora and Google Spanner support for Gluu Server Cloud Native (“Gluu CN”)
- Support for FIDO 2.0 platform authenticators (e.g. Apple TouchID)
- Improvements to the SCIM API
- More metrics! You can now get data on “monthly active users”
- Shibboleth IDP: major update to version 4.1.4
- A new VM distribution for SUSE Enterprise Linux (SLES 15 sp3)
- A new VM distribution for RHEL 8 with the DISA STIG security profile
- Version 4.2
- Version 4.1
- Version 4.0